In the previoustwo blog posts on Facebook Security I focused on the pros and cons of Facebook’s revised extended permissions model. This post tackles an even more controversial item, the Facebook Like Button.

The Facebook Like button is one of the hottest pieces of Facebook real estate these days. It’s popping up just about everywhere. Firstly because the open graph protocol allows any off-Facebook webpage to become part of the Facebook social graph, and to be liked, like a Facebook page. Like one of the in crowd.

Secondly, because it’s just so damn easy. The ease of use comes at a price, though.

A website can quite easily get a user to sign in with their Facebook account, and get the user to allow the website publishing access to their news feed. The Facebook like button then gives, on top of that, the website a bit of extended publishing access to the user’s Facebook account. Instead of just being able to publish to the user’s own news feed, it allows the website to publish to the Page the user liked, on the user’s behalf.

Let me demonstrate with an example.

… ACME have been a thriving business for decades. In the nineties, they had themselves a website built, and now they are allowing people to sign in on their website with their Facebook accounts, leave comments, share stuff, and tell their friends about their favorite ACME products. They are indeed on top of the social networking curve!

They also have an ACME Facebook Fan Page, with a Facebook Like Button on the front page of their website, that enables users to instantly become fans of the ACME Facebook Fan Page, without even visiting Facebook. Now, the past year, the ACME site shared the fact that users commented on blog posts on their Facebook News Feeds. Nice.

Recently though, a new guy in digital realized that when a user has liked the ACME Facebook Fan Page, the website can also post something to the ACME Fan Page newsfeed, on behalf of the user. Being a little on the daring side, the new guy in digital took this opportunity to add functionality that falsely publish something to the Page’s newsfeed about some random ACME product that the user apparently bought and REALLY liked, without the user knowing it. A few users were furious, but most users never even noticed it, since they never realized that they liked a physical page on Facebook. They just thought they were liking the ACME website …

In other words … once you have liked a Facebook Fan Page, its owner can use your account to make you say on their Facebook Fan Page’s newsfeed whatever they want you to say. Get the picture?